Suppressions done right

Skip with a reason, not blindly.

Intermediate14 min · lesson 5 of 12

No scanner is right 100% of the time — some findings are false positives, some are accepted risks, some do not apply to a specific resource. Suppressions are how you handle those, and doing them right is the difference between a trusted gate and a muted one. The best practice is an inline skip comment on the specific resource, naming the exact check and a reason, so the exception is visible in code review and travels with the resource.

main.tf
resource "aws_s3_bucket" "public_assets" {
bucket = "acme-public-web-assets"
# checkov:skip=CKV_AWS_20:This bucket intentionally serves public static assets (approved: TICKET-482)
}

Scope suppressions tightly

The inline skip is scoped to one resource and one check — exactly what you want. Avoid the blunt instruments: --skip-check applied globally, or blanket config that disables a check everywhere, hides that check for resources that genuinely violate it. When a check is wrong for your whole org, prefer adjusting policy centrally with a reviewed decision rather than a repo-wide skip. Every suppression should answer “why is this safe here?” in the code.

terminal
# blunt (avoid as a habit): skip a check everywhere
$ checkov -d . --skip-check CKV_AWS_20
# better: inline, scoped, documented — the skip lives with the resource and reason
An undocumented suppression is a hidden risk
A skip without a reason (or a global skip nobody remembers) silently disables a security check, and the next person cannot tell an accepted risk from a forgotten mute. Require a reason on every suppression, review them like code, and periodically audit your skips — an accumulation of undocumented suppressions is how a scanner quietly stops protecting you.